问题
I'm using PHP with adodb but come up against a massive problem. I'm using adodb to speed up development so I can do thing like:
$r["Name"] = $_POST['txtName'];
if ($_POST["ID"] != "")
$conn->AutoExecute("content", $r, 'UPDATE', 'AutoID = ' . $_POST["ID"]);
else
$conn->AutoExecute("content", $r, 'INSERT');
However if that name was to have a single quote in it saves into db with a slash! So if the name is Testimonial's it will save as Testimonial\'s which is causing me massive problems, is there anyway I can avoid this but still program like above as it's hell of a lot quicker than preparing insert / update statements.
Cheers
回答1:
The correct and final solution to this issue is composed of two parts:
- Disable all
magic_quotesprogrammatically in your code. This ensures that you have a known configuration to work with, which cannot be broken if/when an admin changes these php.ini settings. - Validate/quote all incoming user input before accessing the database!
While the first part is good programming, the second is absolutely essential to write a secure application!
To quote the user input there are two ways you can go:
- Manually (use AdoDB's qstr or
Quote), in which case you must be very very careful to not miss anything. This can be quite doable for small projects, I have gone this way many times in the past. - Use prepared statements with bound variables to make your queries. This ensures that there will never be an SQL injection in your app as long as you specify the variable types correctly, and is way less error prone than the first option. This is what I am doing for some time now.
Update:
If you go with prepared statements, you may find that AdoDB doesn't buy you that much and you can use PDO for most of the work. When you need something "automagic", you can write a few functions specific to the application yourself. In my experience, that's just a little more work and overall better than including AdoDB.
回答2:
Thanks for the input, I've decided to turn of magic quotes at runtime with this function:
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value)
{
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
However is that then prone to SQL injection?
来源:https://stackoverflow.com/questions/4267015/php-mysql-adodb